Orbital Documentation

Cisco Orbital is a service that adds osquery to Secure Endpoint to support detailed and fast queries for incident responders. Orbital is available to Secure Endpoint Advantage customers and currently supported on:

• Windows 10 (1803 or later) / 11
• Windows Server 2012 / 2012 R2 / 2016 / 2019 / 2022
• Windows 10 IoT Enterprise
• macOS 10.15 / 11 / 12 / 13
• RedHat Enterprise Linux (and compatible distributions) 6.10 / 7 (7.2 or later) / 8
• Ubuntu 18.04 / 20.04 / 22.04
• Oracle Linux (UEK) 7 / 8
• Debian 10 / 11
• Amazon Linux 2

Important Points of Note:

• Orbital supports the use of proxies, except SSL terminating proxies. All operating systems can be used with proxies.
• The screen captures in these Help topics may not always reflect the latest product names or UI enhancements.
• Apple Silicon is supported when running macOS 11 or newer.

Table of Contents

• What is Orbital?
  • Orbital For Cisco Secure Endpoint Advantage Customers
  • Using Orbital With Cisco Threat Response
  • Using Orbital From Cisco Secure Malware Analytics
  • Running Queries Using Orbital APIs
  • Querying Windows endpoints with WMI using Orbital
• How Do I Get Orbital?
  • Secure Endpoint
  • Enable Orbital
  • How to Set Up Orbital with Secure Endpoint
  • Explore the Orbital User Interface
• What’s New?
• Frequently Asked Questions
• What is osquery?
  • Differences Between Stock and Orbital’s osquery
• System Requirements
  • SecureX Admin Users
  • Supported Platforms
  • Supported Browsers
  • Network Connectivity
    • Proxy Support
    • North American (NAM) Customers
    • European (EU) Customers
    • Asian and Pacific (APJC) Customers
  • Orbital Integrations
    • Using Orbital with Secure Malware Analytics
    • Using Orbital with Threat Response
    • Linkable SecureX Integration Modules
  • Orbital Settings My Account Tab
    • Setting the Download File Type
    • Setting the Time Options
    • Setting the Default Interval
    • Setting the Default Remote Data Store
  • Orbital Settings User Tab
    • The Manage users in SecureX Link
    • The Show Disabled Users Toggleswitch
    • The User List Panel
    • The Previous/Next Buttons
  • Remote Data Stores
    • Under The Hood
    • Destinations for Remote Data Stores
      • Regional NAT IP Addresses
    • Remote Data Store Errors
    • Managing Your Remote Data Storage Definitions
      • Adding a Remote Data Store
      • Editing a Remote Data Store
      • Deleting a Remote Data Store
      • Setting the Default Remote Data Store for Your Profile
        • Setting Multiple Default Remote Data Stores
    • Fingerprints for Remote Data Stores
  • Results Notifications
    • Orbital Structures Result Notifications
      • RDS Payloads
• Query
  • About SQL
    • SELECT Statement
  • Types of Orbital Queries
    • Scheduled Queries
    • Live Queries
  • Query Prefixes
    • Special Prefixes
    • Dynamic Prefixes
    • Static Prefixes
    • The all Prefix
    • Prefixes for Endpoint Input
    • The allowos Filter and the Orbital Query Catalog
    • Query Success
  • Using Orbital Queries
    • Endpoints - Choose the Query Target
    • SQL - Enter a Query
    • Running a Live Query From the Catalog
    • Saving A Query To the Catalog
    • Live Query
    • Download all as Format Type
  • Schedule Orbital Queries
    • Scheduled Query Behavior
    • Schedule Orbital Query Popup
      • Multiple Data Store Sources
      • Expired Results
    • How to Schedule a Query
    • Managing a Remote Data Store
      • How to Select Multiple Remote Data Stores
  • Linked Queries
    • Using Linked Queries
      • Accessing Linked Queries
      • Accessing Linked Queries from the Query Page
      • Accessing Linked Queries from the Results Page
• Results
  • Results Page
    • Scheduled Query Run Time Display
  • Query Result Details
    • The Result Details Controls Pane
    • The General Query Information Pane
    • The Results Details Node List Pane
    • The Results Node Details Pane
  • Expired Results
• Catalog Page
  • The Edit Query Function
  • Mitre Att&ck Adherence
    • The Mitre Att&ck Indicator
  • Using the Query Catalog
    • Viewing Catalog Queries
    • Finding Catalog Queries with Filter and Search
    • Editing a Custom Query
    • Copy or Add the SQL to a New Query
    • Upload Queries
    • Download Organization Queries
    • Download Query Template
• Endpoints Page
  • View Endpoint Information
  • Using allowos In Endpoint Searches
  • Download all as Format Type
    • Downloading All Endpoint Records for Your Organization
• Orbital Nodes
  • Support Policy for Orbital Node Versions
  • The Orbital Node’s Impact on Network and Endpoint Infrastructure
  • Orbital Node Version Releases
• Orbital APIs
  • Examples
  • Orbital Service Addresses
  • Request ID
  • Client Authentication
    • Creating a New Client
    • Getting an Access Token
    • Checking Your Token
  • Orbital API Errors
    • 400 Invalid Request
    • 401 Unauthorized
  • Query API
    • Request Parameters
    • osquery Objects in Queries
    • Postback Objects in Queries
      • Postback Fields
    • Specifying Nodes as Subjects of Queries
    • A Number of Prefixes are Also Available to Identify Nodes by Specific Properties
    • Machine Identifier
    • Query API Limits
    • The None of the specified nodes were found Error Message
    • Example 1: Getting a List of Processes From the Front Desk
      • Scheduled Query Example
      • Live Query or Probe Example
    • Example 2: A Non-Stock Query
      • Scheduled Query Example
      • Live Query or Probe Example
    • Example 3: A Stock Query
      • Scheduled Query Example
      • Live Query or Probe Example
    • Example 4: A Postback, Using an Existing Webhook
      • Scheduled Query Example
      • Live Query or Probe Example
    • Example 5: A Postback, Using a Live Webhook
      • Scheduled Query Example
      • Live Query or Probe Example
  • Results API
    • Example 1: Collecting Lists of Processes
    • Example 2: Collecting More Results
    • Request Parameters
  • Webhook API
    • Create a Remote Data Store
      • Request Parameters
      • Request Payload Format
      • Example of Success
      • Example Of Failure
    • Get a Remote Data Store
    • List Remote Data Stores
  • Orbital OK API
    • GET /v0/ok
      • 200 OK
  • WMI Classes
• Orbital Yara Rules and System Configuration
  • Linux Yara Rules
  • Linux osquery Daemon Configuration
  • Linux osquery Client Configuration
  • macOS Yara Rules
  • macOS osquery Daemon Configuration
  • macOS osquery Client Configuration
  • Windows osquery Client Configuration
• Orbital Troubleshooting
  • SSL Proxies
  • Orbital and osquery Logging
  • Orbital Service (Node) Not Installing
  • Last Seen Timestamps
  • Orbital-related Secure Endpoint Events
  • The Constraint Failed Error Message
  • Windows Troubleshooting
    • Windows Installer References
    • Orbital Installation Failed
    • Powershell Events Not Enabled by Default
    • Troubleshooting Tools
      • Logs
      • Secure Endpoint Diagnostics
    • IP Connectivity Tool
  • macOS Troubleshooting
    • macOS Installer References
    • Orbital Installation Failed
    • Troubleshooting Tools
      • Logs
      • Secure Endpoint Diagnostics
  • Alerts, Errors, and Warnings
    • Alerts
    • Errors
      • Orbital Service (Node) Not Installing
      • 403 Unauthorized Query
      • 400 Invalid Query
      • 500 Query Expired
      • 500 Query Failed
    • Warnings
• Glossary